\subsection{Requirements}
\label{sec:Running-Requirements}


In \textsc{Mls} \cite{Bell:Lapadula:73}, two concepts are essentially relevant: \emph{objects} designate system resources or data repositories that must be protected (\eg files, directories or terminals); \emph{subjects} denote entities capable of requesting services from system resources (\eg users, or processors). Both are associated to an \emph{access class}: they classify objects and subjects according to their confidentiality, and responsability degree, respectively. Intuitively, an object associated with a high access class can only be seen or manipulated by a highly trusted subject.

For simplification and space limitation purposes, we present a simplified version of a file system consisting only of \emph{files} as possible objects, and \emph{users} as possible subjects. Files can either be read or written by an user, or idle (which implies no simultaneous readings by different users). 

An important quality of such file systems is \emph{confidentiality}, especially against Trojan horses \cite{Abrams:Jajodia:Podell:95}: they consist in code executed by a trusted user without knowing it or consenting for it; they can also pass confidential data by copying sensitive data into files accessible to untrusted users. One common technique for preventing this attack is \emph{data confinement}: a trusted user cannot open simultaneously two files with the most confidential one in read mode and the less confidential in write mode, thus preventing data leaks by copy from the former to the latter.

Therefore in our running example, we aim at enforcing the two following requirements: (\textbf{\texttt{R1}}) a file can be open, either in read or in write mode, only by an user with sufficient access rights; (\textbf{\texttt{R2}}) an user always respects the data confinement condition. 

